Pgp.com was exposing ... information.

[c c <cesarc56 () yahoo com>]

Original post (02/01/2002)

<Cut Here------------------------
Blue Boar:

Hi. This post is similart to DeveloperStore...
Ok. I post this to alert people, people must see how
companies handle security and to educate people too.
I think you do a great job alerting microsoft last
time, it would have been nice to me get the same
attention of microsoft. Now i have found this, i
contact pgp.com but i don't get any response and the
hole still exist. Maybe you want to contact and alert
them. I use resources that i have to make contact. I
can't afford an internation telephone call. It's up to
you decide what to do with this post. It will be right
any kind of action you take.

Thanks.
Regards.

---------------0-------------Cut Here--->

Pgp.com selling security, showing insecurity.

Description:

A hole in a script page in pgp.com, allow the
ejecution of arbitrary sql commands. 

http://www.pgp.com/naicommon/partners/tsp-seek/latam/resellers/resellers.asp?Country=&apos;)%20%20union%20all%20select%201,2,3,4,5,srvname,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22%20from%20master.dbo.sysservers--

If this exists it maybe have little brothers.

This occurs for lack of input validation... I think no
more explain is necesary.


I filled last thursday (01/24/2002) this form :

http://www.pgp.com/aboutus/contactus/report.asp

I didn't check the field "I do not require a
response."

then i submited and this message was displayed:

        Report a problem

        Thank you. Your suggestion has been sent.
        
        We try our best to respond within 3 business days. 


Today (02/01/2002) i'm still waiting for a response or
the hole fixed.


When i was constructing the sample exploit url
(01/29/2002)  , i hope to fire some IDS, Database
alarms, in order 
they saw it and fix the problem but i had no luck. I
raised almost 30 errors and no alarm was fired, i
think.
Or maybe alarms were fired but anybody check them.

Conclusions:

This company has a lot of work to do in securing their
sites. 
It seems that there aren't IDS or ...nothing. So any
hacker it's free to play in their sites without
being caught. This is an example of a company that say
: 
"Do what i Say, not what i Do."

I don't remember what the last "P" stand for? Maybe
Privacy?


------------------------0--------------------------

What happens:

Blue Boar deny the post,he told me that he have
contacted someone at NAI and he was going
to prod them for a couple of business day and then he
will ask me to repost. I Agreed and waited. Everyday i
checked and the hole was still there until yestarday
that the sample link didn't work but i get an sql
error message, at first i was confused because if they
have changed the script they must fixed it, but
instead of fixed it they trick the script to filter
some characteres but i could exploit the hole anyway.
The script filtered the next chars "--","=",";" and
others. So the sample link get an error, but they
didn't filter "'","like","(",")" and others so the
hole could be exploited again :

http://www.pgp.com/naicommon/partners/tsp-seek/latam/resellers/resellers.asp?Country=&apos;)%20union%20all%20select%201,2,3,4,5,srvname,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22%20from%20master.dbo.sysservers%20where%20('1'%20like%20'1

I dont know why they did that maybe they whant to
learn some sql inyection techniques (with the cost of
expose their info!!!) or they want to chalenge me and
catch me. (I let them some nice messages in the logs.)
The hole was fixed today (02/06/2001) or lastnight
very late.

They havent contacted me. Nevermind, i know what to do
next time.

I want to ask you to think about this, because NAI is
a security related company and i cant believe the way
they handle security.


     ...Always helping the fools.

Cesar Cerrudo.
Parana, Entre Rios.
Argentina.

__________________________________________________
Do You Yahoo!?
Send FREE Valentine eCards with Yahoo! Greetings!
http://greetings.yahoo.com